lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Jun 2024 22:19:56 +0000
From: Oliver Upton <oliver.upton@...ux.dev>
To: Sebastian Ott <sebott@...hat.com>
Cc: linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.linux.dev,
	linux-kernel@...r.kernel.org, Marc Zyngier <maz@...nel.org>,
	James Morse <james.morse@....com>,
	Suzuki K Poulose <suzuki.poulose@....com>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>, Shaoqin Huang <shahuang@...hat.com>,
	Eric Auger <eric.auger@...hat.com>
Subject: Re: [PATCH v4 3/6] KVM: arm64: add emulation for CTR_EL0 register

Hi Sebastian,

On Mon, Jun 03, 2024 at 03:05:04PM +0200, Sebastian Ott wrote:

[...]

> +static int validate_cache_topology(struct kvm_vcpu *vcpu, u64 ctr_el0)
> +{
> +	const struct sys_reg_desc *clidr_el1;
> +	unsigned int i;
> +	int ret;
> +
> +	clidr_el1 = get_sys_reg_desc(SYS_CLIDR_EL1);
> +	if (!clidr_el1)
> +		return -ENOENT;

This doesn't actually matter if we agree on dropping the cross-checking,
but if this lookup fails it is 100% a KVM bug. Returning ENOENT isn't
exactly right here, since it gives userspace the impression that the
sysreg index it tried to access does not exist.

So in the future it'd be good to return EINVAL in places where the
kernel did something stupid, probably with a warning for good measure.

> +static int set_ctr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
> +		   u64 val)
> +{
> +	u64 ctr, writable_mask = rd->val;
> +	int ret = 0;
> +
> +	mutex_lock(&vcpu->kvm->arch.config_lock);
> +	ctr  = vcpu->kvm->arch.ctr_el0;
> +	if (val == ctr)
> +		goto out_unlock;
> +
> +	ret = -EBUSY;
> +	if (kvm_vm_has_ran_once(vcpu->kvm))
> +		goto out_unlock;
> +
> +	ret = -EINVAL;
> +	if ((ctr & ~writable_mask) != (val & ~writable_mask))
> +		goto out_unlock;
> +
> +	if (((ctr & CTR_EL0_DIC_MASK) < (val & CTR_EL0_DIC_MASK)) ||
> +	    ((ctr & CTR_EL0_IDC_MASK) < (val & CTR_EL0_IDC_MASK)) ||
> +	    ((ctr & CTR_EL0_DminLine_MASK) < (val & CTR_EL0_DminLine_MASK)) ||
> +	    ((ctr & CTR_EL0_IminLine_MASK) < (val & CTR_EL0_IminLine_MASK))) {
> +		goto out_unlock;

I'd prefer if we addressed the issue w/ arm64_check_features() by making
CTR_EL0 behave like the other registers in the ID space instead of
open-coding these sorts of checks.

I believe that can be accomplished by using kvm_read_sanitised_id_reg()
as the ::reset() function in the descriptor and initializing
kvm->arch.ctr_el0 in kvm_reset_id_regs().

> +	}
> +	ret = validate_cache_topology(vcpu, val);
> +	if (ret)
> +		goto out_unlock;

My concerns about adding these sort of cross-checks remains. The sysreg
code will become exponentially more messy with each cross-register check
we add, given the complete lack of ordering on the UAPI.

So long as KVM has independently tested the validity of the cache
hierarchy and CTR_EL0 against the capabilities of hardware, we know that
userspace cannot advertise more than what's supported in hardware.

If CLIDR_EL1 doesn't line up with the value of CTR_EL0 exposed to the
guest then it is a userspace bug. There simply is no amount of
foolproofing that can be done in KVM to protect against a buggy VMM.

-- 
Thanks,
Oliver

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ